b'UNITED STATES GOVERNMENT\nNational Labor Relations Board\nOffice of Inspector General\n\n\n\n\n Laptop Computer Accountability and\n             Security\n\n\n                Report No. OIG-AMR-59-09-01\n\n\n\n\n                                              February 2009\n\x0cINSPECTOR GENERAL\n\n\n\n\n                NATIONAL LABOR RELATIONS BOARD\n\n                        WASHINGTON, DC 20570\n\nFebruary 27, 2009\n\nI hereby submit a review of Laptop Computer Accountability and Security,\nReport No. OIG-AMR-59-09-01. This audit was conducted to determine\nwhether Agency-owned laptop computers are properly controlled and\nconfigured to protect sensitive data.\n\nWe found that the Agency\xe2\x80\x99s laptop computers are not properly controlled and\nnot all of the laptop computers are configured to protect sensitive data. In\ngeneral, the Office of the Chief Information Officer lacks a system of internal\ncontrol for the Agency\xe2\x80\x99s laptop computers. As a result, there is a significant\nrisk of loss of equipment and, therefore, the data stored on that equipment.\nJust as significant as the lack of internal control, we found that personnel who\nare responsible for managing the laptop computers as an Agency asset lacked\nan understanding of those duties.\n\nIn addition to the lack of internal control, during the course of the audit we\nidentified 21 laptop computers as either being lost, stolen, or otherwise\nmissing. We also found that two additional laptop computers had been\nimproperly removed from the electronic inventory system. Information\nregarding these laptop computers was referred to the Office of Inspector\nGeneral investigative staff.\n\nIn his comments to the draft report, the Chief Information Officer stated that\n17 of the 21 laptop computers that were missing were considered excess\nequipment and ready for disposal. He also noted that the 17 laptop computers\nwere purchased prior to the Office of the Chief Information Officer being\nrelocated in the Agency\xe2\x80\x99s organizational structure. While both of those points\nmay be accurate, our concern with that analysis is that management officials\ncannot demonstrate that the loss of any one of the 17 missing laptop\ncomputers occurred before the change in the organizational structure or after\nthe computer\xe2\x80\x99s useful life.\n\x0c\x0c                                       TABLE OF CONTENTS\nBACKGROUND ......................................................................................1\n\nOBJECTIVE, SCOPE, AND METHODOLOGY ..........................................2\n\nFINDINGS ..............................................................................................3\n\nLOST OR STOLEN LAPTOP COMPUTERS ...............................................3\n\nCONTROLS OVER LAPTOP COMPUTERS ...............................................4\n  Written Procedures..............................................................................4\n  Receiving, Acceptance, and Inspection .................................................5\n  Physical Control over Laptop Computers .............................................6\n  Storage of Laptop Computers...............................................................7\n  Physical Inventory ...............................................................................7\n  Control Records...................................................................................7\n   Entering Laptop Computers in HAT .....................................................7\n   Purchases Information ........................................................................8\n   Assignment Accuracy of HAT ............................................................10\n   Other Assignment Errors Noted During the Audit................................10\n   Laptop Computers Removed from HAT ..............................................10\n  Segregation of Duties.........................................................................11\n  Assignment of Accountable Property Officer.......................................11\nINFORMATION SECURITY....................................................................12\n  Encryption ........................................................................................12\n  Commonly Accepted Security Configurations .....................................13\nDONATED COMPUTER EQUIPMENT....................................................13\n  Inconsistent Internal Documents and Records for Headquarters ........14\n  Ineligible Recipients...........................................................................14\nRECOMMENDATIONS..........................................................................15\n\nATTACHMENT .....................................................................................16\n\nAPPENDIX\n\n        Memorandum from the Chief Information Officer "Laptop Computer\n        Accountability and Security Draft Report" (OIG-AMR-59), dated\n        February 20, 2009\n\x0c                                 BACKGROUND\n\nThe National Labor Relations Board (NLRB or Agency) administers the principal\nlabor relations law of the United States, the National Labor Relations Act of\n1935, as amended. To assist in achieving that mission, the Agency procured\n1,037 laptop computers between October 2004 and September 2007, at a cost\nof approximately $1.4 million. The laptop computers have been deployed at the\nAgency\xe2\x80\x99s Headquarters and across the 51 field offices and 3 administrative law\njudges satellite offices.\n\nWithin the Office of the Chief Information Officer (OCIO), responsibility for the\nmanagement of the laptop computers is assigned to the Associate Chief\nInformation Officer (CIO) for Customer Support. The Associate CIO for\nCustomer Support administers those duties by assignment of them to the\ncontractor who provides the OCIO\xe2\x80\x99s Help Desk services. To track and record\ninformation about individual laptop computers throughout their life cycle at\nthe Agency, the Help Desk contractor\xe2\x80\x99s employees use a system called HEAT\nAsset Tracker or \xe2\x80\x9cHAT.\xe2\x80\x9d \xe2\x80\x9cHEAT\xe2\x80\x9d is an acronym for Helpdesk Expert\nAutomation Tool.\n\nSeveral high-profile incidents at other agencies have identified a lack of control\nover laptop computers and the sensitive data maintained on them. On June\n23, 2006, the Office of Management and Budget (OMB) issued Memorandum\n06-16, Protection of Sensitive Agency Information. The memorandum identified\napplicable National Institute of Standards and Technology criteria to be\nfollowed and recommended steps that agencies should take that included\nencrypting data on mobile computers and devices, use of two-factor\nauthentication, using a time-out function, and logging computer-readable data\nextracts. Responsibility for the implementation of these procedures is assigned\nto the Associate CIO for Information Technology (IT) Security.\n\nOnce a laptop computer has reached the end of its useful life at the Agency, it\nis considered \xe2\x80\x9cexcess\xe2\x80\x9d property and, at Headquarters, is transferred to the\nProcurement and Facilities Branch (PFB) to be disposed of in accordance with\nGovernment-wide procedures. Field offices dispose of excess property locally.\nAt the NLRB, the general practice has been to donate the excess laptop\ncomputers to educational or charitable organizations.\n\n\n\n\n                                         1\n\x0c                 OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of this audit was to determine whether Agency-owned laptop\ncomputers are properly controlled and configured to protect sensitive data.\nOur scope was laptop computers purchased or disposed of between October\n2003 and March 2008.\n\nWe reviewed Government-wide laws, regulations, and policy documents\nregarding property management and information security. We also reviewed\nAgency policies and procedures to identify operating procedures and for more\ndetailed guidance of property management and information security practices.\nWe interviewed employees in the OCIO, the PFB, and the Help Desk contractor\nto identify the operating procedures for the life cycle of laptop computers.\n\nWe obtained and reviewed accounting reports, requisition orders, purchase\norders, packing slips, and invoices for laptop computers purchased by the\nAgency between October 1, 2003 and March 2008, to identify the universe of\nlaptop computers purchased by the Agency. We contacted the vendors and\nshipping agents to obtain additional information regarding the laptop\ncomputers.\n\nWe evaluated controls over laptop computers from the initial purchase through\ndisposal. We reconciled the Agency\xe2\x80\x99s inventory of laptop computers to the\nacquisition documentation. We also reviewed the Agency\xe2\x80\x99s implementation of\nthe OMB memorandum regarding encryption and the standard security\nconfiguration.\n\nWe evaluated HAT to determine whether it meets the Financial System\nIntegration Office, formerly known as the Joint Financial Management\nImprovement Program (JFMIP), Property Management System Requirements.\n\nThis audit was performed in accordance with generally accepted government\nauditing standards during the period June 2008 through January 2009. Those\nstandards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We conducted this audit at NLRB\nHeadquarters in Washington, DC.\n\n\n\n\n                                       2\n\x0c                                   FINDINGS\n\nThe Agency\xe2\x80\x99s laptop computers are not properly controlled and not all of the\nlaptop computers are configured to protect sensitive data. The OCIO is not\nable to account for all of the laptop computers that it has purchased. The\nprocess for receiving and deploying laptop computers is not documented in\npolicy documents. The system to monitor the inventory of laptop computers is\nunreliable in that it lacks accuracy and is subject to improper manipulation.\nThere is also a lack of segregation of duties among the employees of the\ncontractor who operated the database that maintains the inventory of laptop\ncomputers. The system used by the Associate CIO for IT Security to ensure\nthat laptop computers are encrypted is not reliable and the OCIO had not\nimplemented the Commonly Accepted Security Configurations, as required by\nOMB.\n\n\nLOST OR STOLEN LAPTOP COMPUTERS\n\nTwenty-one laptop computers were identified as being either lost, stolen, or\nmissing. The situations involving these laptop computers are detailed below:\n\n\xe2\x80\xa2   The Associate CIO for Customer Support identified two laptop computers\n    that he believed were returned to the manufacturer for repair, but no\n    records or supporting documentation exists to support that belief.\n\n\xe2\x80\xa2   The Associate CIO for Customer Support identified one laptop computer,\n    from the OCIO loaner pool, that was temporarily issued to an employee in\n    July 2006, who then left the Agency in June 2007. HAT records show that,\n    in December 2007, the laptop computer was reassigned from that former\n    employee to storage. The laptop computer is now missing.\n\n\xe2\x80\xa2   Inventories conducted in Regional Offices listed five laptop computers that\n    were identified by Regional Office personnel as lost or missing.\n\n\xe2\x80\xa2   Twelve laptop computers were identified as either \xe2\x80\x9cMissing/Research\xe2\x80\x9d or\n    \xe2\x80\x9cLoss/Stolen\xe2\x80\x9d in a document titled \xe2\x80\x9cInventory of Donated/Scrapped Items\xe2\x80\x9d\n    that is maintained by the contractor\xe2\x80\x99s database administrator.\n\n\xe2\x80\xa2   One laptop computer was on a list of serial numbers from the manufacturer\n    used to input information into HAT, but this laptop computer was not in\n    HAT. Based on a review of invoices and related payments, it appears that\n    the Agency paid for this laptop computer.\n\nThe Agency\xe2\x80\x99s Administrative Policies and Procedures Manual (APPM) Chapter\nPRO-1(A), Personal Property Management and Accountability, requires that the\n\n\n                                         3\n\x0cproperty custodian immediately notify the Chief, Security Branch, and the\nProperty Management Section upon discovery or awareness of any loss, theft,\nor damage to Agency property. We could not locate any information that this\nrequirement was fulfilled until well after the initiation of this audit.\nIndependent of that action, information regarding these laptop computers is\nbeing reviewed for possible investigation.\n\nIn his comments to the draft report, the CIO stated that 17 of the 21 laptop\ncomputers that were missing were considered excess equipment and ready for\ndisposal. The CIO also noted that the 17 laptop computers were purchased\nprior to the OCIO being relocated in the Agency\xe2\x80\x99s organizational structure.\nWhile both of those points may be accurate, our concern with that analysis is\nthat management officials cannot demonstrate that the loss of any one of the\n17 missing laptop computers occurred before the change in the organizational\nstructure or after the computer\xe2\x80\x99s useful life.\n\n\nCONTROLS OVER LAPTOP COMPUTERS\n\nInternal control serves as the first line of defense in safeguarding assets and\npreventing and detecting errors and fraud. It should not be thought of as a\nsingle event, but rather as a series of actions and activities that occur\nthroughout the operation of the Agency and on an ongoing basis.\n\nThe Agency did not utilize written procedures for managing laptop computers\nthroughout their life cycle. Because proper documentation was not\nmaintained, acceptance and inspection of laptop computers could not be\nverified. Laptop computers were not stored in secured locations prior to\ndeployment or issuance to individual employees. Information regarding\nindividual laptop computers was not timely entered into HAT upon receiving\nthe laptop computers from the vendor and HAT was not maintained in a\nmanner that ensured an acceptable level of accuracy. The HAT database\nadministrator had the ability to input, change, and remove records from HAT.\n\nWritten Procedures\n\nInternal control and all transactions and other significant events need to be\nclearly documented, and the documentation should be readily available for\nexamination. Documentation of internal control procedures should appear in\nmanagement directives, administrative policies, or operating manuals.\nThe auditor met with representatives from the OCIO, Help Desk contractor,\nand PFB between June 24 and July 9, 2008, to identify procedures related to\ninventory management throughout the laptop computer life cycle. On July 16,\n2008, the auditor requested that the Associate CIO for Customer Support\nprovide the standard operating procedures or desk manuals for this life cycle.\n\n\n                                         4\n\x0cOn July 29, 2008, the Associate CIO for Customer Support responded to the\nrequest for documentation of procedures by stating that there were no written\nprocedures and that the unwritten procedures that were used varied over time\nbased upon changing conditions.\n\nOn October 16, 2008, the Associate CIO for Customer Support provided the\nOffice of Inspector General (OIG) with written procedures. At that time, he\nstated that an OCIO employee found an electronic copy of the procedures when\nshe was reviewing their network drive that they use to store electronic\ndocuments. He also stated that he had not reviewed the document to\ndetermine whether it reflects their current practices.\n\nWithout written procedures that are properly issued, there is a complete lack of\ninternal control and employees and contractors cannot be expected to know\nhow to correctly perform their duties.\n\nReceiving, Acceptance, and Inspection\n\nThe Federal Acquisition Regulation (FAR) requires that a Government employee\ninspect goods to ensure that they conform to the contract\xe2\x80\x99s requirements and\nto document the inspection and acceptance of the goods. The FAR also\nrequires that an agency have procedures and instructions for this function.\nThe Agency\xe2\x80\x99s APPM has a provision that addresses inspecting and using the\nForm NLRB-12 to note discrepancies and damage, but those procedures do not\naddress noting acceptance. The Agency\xe2\x80\x99s record retention guidelines require\nthat such records be maintained for 2 years after the end of the fiscal year (FY)\nthat items were received.\n\nGenerally, computer shipments delivered to Headquarters were addressed to\nthe warehouse foreman. Upon receiving a shipment of laptop computers, the\nwarehouse employee contacted the OCIO to inform them of the delivery. The\nAssociate CIO for Customer Support then told the warehouse employee where\nto deliver the equipment. No particular OCIO staff member was responsible for\nacceptance or confirmation of the laptop computers that were delivered to\nHeadquarters and no documentation of the transfer between PFB and OCIO\ntook place.\n\nOccasionally, a laptop computer was shipped to the Agency by a method that\nresulted in delivery through the mailroom. Three deliveries of 15 laptop\ncomputers were received by the mailroom and had an acknowledgment of\nreceipt.\n\nLaptop computers delivered to field offices were either sent directly to the field\noffices by the vendor or sent to Headquarters, and then deployed. When laptop\ncomputers were sent directly from the vendor to the field office, personnel in\n\n\n                                         5\n\x0cthe field office either called or sent an e-mail message to the OCIO Customer\nRelations Manager to verify receipt. According to OCIO personnel, packing\nslips for these shipments were to be maintained in the field offices.\nWe reviewed the OCIO and Finance files to determine if inspections of the\nlaptop computer shipments were conducted and how damage, discrepancies,\nand acceptance were recorded. We were not able to locate any Form NLRB-12s\nin those files. We did find, however, packing slips that had some indication of\ninspection and acceptance. This is a summary of our effort to verify proper\ninspections and acceptance:\n\n\xe2\x80\xa2   We could not locate any packing slips for the 230 Dell D610 laptop\n    computers that were purchased at the end of September 2005 and received\n    in FY 2006. The invoices identify Headquarters as the delivery location.\n\n\xe2\x80\xa2   During FY 2005, the OCIO purchased 11 other miscellaneous laptop\n    computers and maintained the packing slips with notations for inspection\n    and acceptance for each shipment.\n\n\xe2\x80\xa2   Finance and the OCIO were able to provide packing slips for 309 of the 614\n    Dell D820 laptop computers purchased at the end of FY 2006 and received\n    in FY 2007. Some of these laptop computers were shipped to Headquarters\n    and others were shipped directly to field offices. Only one packing slip for\n    39 laptop computers showed any evidence of inspection and acceptance,\n    which was in the form of checkmarks on the document. The document did\n    not identify the person receiving the goods or the date this occurred.\n\n\xe2\x80\xa2   Packing slips were located for all 182 Dell D830 laptop computers\n    purchased at the end of FY 2007. The packing slips had some notation of\n    acceptance for 176 of the 182 laptop computers. The notations consisted of\n    checkmarks on the packing slip. The packing slips did not identify when or\n    who performed the acceptance.\n\nBecause the OCIO is responsible for approving invoices for payment and\nmaintaining the inventory of the laptop computers, it would appear to be\nreasonable that the documentation of acceptance and discrepancies should be\nmaintained by that office. By doing so, the OCIO would instill accountability\nand have accurate and verifiable information to begin the process of controlling\nthe laptop computer inventory.\n\nPhysical Control over Laptop Computers\n\nStandards for Internal Control in the Federal Government state that an agency\nmust establish physical control to secure and safeguard vulnerable assets.\nExamples of appropriate physical controls include limiting access to equipment\n\n\n\n                                         6\n\x0cand inventories. It also includes the creation and maintenance of appropriate\ncontrol records to which the inventories can be compared.\n\nStorage of Laptop Computers\n\nKeys used to gain access to computer storage areas at Headquarters were kept\nin an unsecure location. As a result, those areas were vulnerable to\nunauthorized access. During the audit field work, we brought this issue to the\nattention of OCIO staff and, because of the potential for loss, requested that\nthey properly secure the keys to the laptop computer storage areas.\n\nField offices were not instructed to keep the laptop computers shipped to them\nin a locked area pending deployment. The Associate CIO for Customer Support\nstated that field offices were instructed to not open any of the boxes. In\nDecember 2006, OIG staff observed laptop computers awaiting deployment\nbeing stored in an unsecured Regional Office conference room.\n\nPhysical Inventory\n\nAPPM Chapter PRO-1(A), Personal Property Management and Accountability,\nstates that property custodians are responsible for performing annual physical\ninventories as appropriate for assigned property.\n\nAn inventory of field office equipment was conducted by the contractor\ndatabase administrator between March and July 2008. The inventory was\nconducted by the contractor database administrator sending spreadsheets\ngenerated from HAT listing the equipment assigned to the particular field\noffices. Field office employees were instructed to verify the information in the\nspreadsheet, identify changes that were needed, and send the spreadsheet\nback to the database administrator. There was no verification of the\ninformation provided by the field offices. Responses from six field offices could\nnot be located and, therefore, were not available for our review.\n\nWe were unable to find any records of a comprehensive physical inventory of\nlaptop computers that had been performed at Headquarters, and\ndocumentation was not maintained for the limited work that was claimed to be\nperformed.\n\nControl Records\n\nEntering Laptop Computers in HAT\n\nInformation pertaining to the receipt of laptop computers was not recorded into\nHAT in a timely manner. Date of delivery information was available for 398 of\nthe 1,037 laptop computers that were purchased between FY 2004 and March\n\n\n                                         7\n\x0c31, 2008. We compared the date that the HAT record was created for an\nindividual laptop computer to its delivery date. Based on the comparison, we\nfound that most of the 398 laptop computers were entered into HAT more than\na month after being received by the Agency. Details of our testing appear in\nthe table below:\n\n                 Fiscal Year 2005 Fiscal Year 2006 Fiscal Year 2007\n                    Dell D610        Dell D820        Dell D830\nTime to          Number Percent Number Percent Number Percent\nRecord\nWithin 1 day            6      2.93           0                  22     12.16\nWithin 1                0                     0                  24     13.26\nweek\nWithin 1                8      3.90           1     8.33         73     40.33\nmonth\nMore than 1           191     93.17          11    91.67         62     34.25\nmonth\n   Total              205    100.00          12   100.00        181    100.00\n\n\nGiven the lack of physical security over the laptop computers and the failure to\ncreate and/or maintain evidence of acceptance and inspection, the failure to\ninitiate a timely control record creates a significant risk of loss to the Agency.\n\nPurchases Information\n\nFor the Hewlett Packard Business Notebooks and Dell model D610, D810,\nD820, and D830 laptop computers, we identified discrepancies between the\ndata in HAT and the purchase orders, shipping documents, and invoices we\nreviewed. In all, we found 44 discrepancies. Because the Agency did not\nmaintain appropriate control records, much of the information used to resolve\nthese items was obtained directly from the manufacturer. The discrepancies\nare outlined below:\n\nDescription                                                       Number\nSerial numbers for laptop computers on an invoice that was\npaid were not in HAT. The manufacturer provided the OIG\nwith information documenting that laptop computers with\ndifferent serial numbers were shipped to the Agency. Agency\nrecords did not address the discrepancy.                                 24\n\nLaptop computers replaced under warranty were removed\nfrom HAT and there was no notation that the new laptop\ncomputer was a replacement.                                              10\n\n\n\n                                         8\n\x0cExcessed laptop computers removed from HAT.                             3\n\nLaptop computers purchased by the Agency that were not in\nHAT, but were identified as being logged into the Agency\nnetwork.                                                                2\n\nLaptop computers retained by the Agency when they should\nhave been returned to the vendor.                                       2\n\nLaptop computers with no record showing they were received\nby the Agency, but for which a record of payment exists.                1\n\n\n\nWe also discovered that, in May 2008, an OCIO employee directed that a Dell\nD810 laptop computer that was in HAT be removed from HAT. The bar code\nsticker was removed from the laptop computer and it was given to a\ncontractor\xe2\x80\x99s employee to be excessed or to do what he wanted with it. When we\nfirst made inquiries about the location of the laptop computer, the OCIO\nemployee could not recall any information regarding the laptop computer. The\nnext day, the OCIO employee informed us that the laptop computer had been\nfound. At that time, no mention was made that it had been in HAT and was\nremoved or that the bar code sticker had been removed. The OCIO employee\ndid state that the laptop computer had been abandoned by the vendor, that it\nwas an evaluation unit, and that he could do whatever he wanted with it.\nThose assertions were not correct in that the Agency paid for the laptop\ncomputer.\n\nWe later discovered misleading information related to the removal of the laptop\ncomputer that was recorded in the HEAT Help Desk \xe2\x80\x9ctickets.\xe2\x80\x9d The information\non the ticket states that the Dell D810 laptop computer was an evaluation unit\nthat was removed from HAT and sent back to the vendor by the OCIO\nemployee.\n\nWe found that another laptop computer, a Dell D820, was also removed from\nHAT after the OCIO employee again erroneously came to the determination that\nthe Agency had not purchased it. This time, the OCIO employee stated that he\nwas told that the vendor had no record of selling the laptop computer to the\nAgency. In August 2008, the laptop computer was identified in HAT as\nmissing. After October 15, 2008, the record of the laptop computer was\nremoved from HAT. When we made an inquiry about the status of the laptop\ncomputer in December 2008, the laptop computer was identified to us as one\nthat was being used by the OCIO. The OCIO employee could not explain how\nor when this laptop computer ended up being used by the OCIO. The OCIO\nemployee explained to us that someone told him that the Agency had not\n\n\n                                        9\n\x0cpurchased the laptop computer. He stated that the person had spoken to the\nvendor\xe2\x80\x99s representative and that the vendor had no record of selling the\ncomputer to the Agency. Based on our review of the invoices and payments, we\ndetermined that the Agency purchased and paid for this laptop computer.\n\nAssignment Accuracy of HAT\n\nA statistical sample of equipment in HAT as of August 22, 2008, was tested to\ndetermine the accuracy of the laptop computer inventory. The database\ncontained 1,156 units. A 90 percent confidence rate resulted in a sample size\nof 75 items. The 90 percent confidence level is consistent with Government\nAccountability Office guidance and our expected deviation rate. The results of\nour test can be projected to the population.\n\nWe compared the items in the sample to Systems Management Server (SMS)\nreports that listed the laptop computers logged on to the Agency\xe2\x80\x99s network and\nreceived software updates. Items at Headquarters that were not on SMS scans\nwere physically inspected. We verified the existence of laptop computers in\nfield offices that were not in SMS scans with either office managers or\nemployees assigned the laptop computers.\n\nHAT records were not accurate for 5 of the 75 (7 percent) laptop computers\ntested. HAT showed one laptop computer assigned to an OCIO employee, but\nthe laptop computer was actually in a loaner pool in a Regional Office. One\nlaptop computer assigned to a Division of Judges loaner pool was permanently\nassigned to an employee. A Regional Office sent one laptop computer to\nHeadquarters on May 14, 2008, to be excessed. HAT showed this laptop\ncomputer assigned to the Regional Office as of August 22, 2008. In another\nRegional Office, two laptop computers were transferred to another Government\nagency on June 10, 2008, yet still appeared in the Agency\xe2\x80\x99s inventory on\nAugust 22, 2008.\n\nOther Assignment Errors Noted During the Audit\n\nIn addition to the errors found in the statistical sample, while reviewing records\nwe found the following assignment errors:\n\n\xe2\x80\xa2   Three laptop computers were removed from HAT, but in fact had been\n    reassigned to Agency personnel and a contractor\xe2\x80\x99s employee.\n\n\xe2\x80\xa2   Seven laptop computers that had been assigned to a Headquarters employee\n    had in fact been distributed to seven field office employees.\n\nLaptop Computers Removed from HAT\n\n\n\n                                         10\n\x0cJFMIP-SR-00-4, Property Management System Requirements, states that\nproperty management systems must record beginning balances, acquisitions,\nand withdrawals. The system must also identify the type of transaction\naffecting the property item, e.g., initial acquisitions, change in location, and\ndisposal.\n\nThe OCIO removed a laptop computer from HAT when it was excessed, when\none was replaced under warranty, and when one could not be found.\nRemoving equipment from HAT destroys the history of the transactions\ninvolving the laptop computer and prevents maintenance of a control record.\nThe result is that there is no record in the inventory system that the Agency\never owned the laptop computer and it is not possible to reconcile the actual\ninventory of laptop computers to the expected inventory.\n\nSegregation of Duties\n\nStandards for Internal Control in the Federal Government state that key duties\nand responsibilities need to be divided or segregated among different people to\nreduce the risk of error or fraud. This should include separating the\nresponsibilities for authorizing transactions, processing and recording them,\nreviewing the transactions, and handling any related assets.\n\nRegional Office inventories were coordinated by the Help Desk contractor\xe2\x80\x99s\nemployee who is the HAT database administrator. By having the database\nadministrator performing this function, a lack of segregation of duties exists\nbecause the same person that is processing and recording transactions is also\nreviewing them by performing the inventory.\n\nThe contractor\xe2\x80\x99s HAT database administrator also inputted new laptop\ncomputers into the HAT system and removed laptop computers from that\nsystem when they were excessed. We found no records that documented the\nreview, verification, or approval of that action. The result is that this individual\nhas the ability to input or remove any laptop computer without detection by the\nOCIO\xe2\x80\x99s staff.\n\nAnother of the Help Desk contractor\xe2\x80\x99s employees has the ability to process and\nrecord activity related to excess equipment in HAT and handles the related\nasset without the transaction being reviewed. There was no evidence that the\nlist of excessed equipment created by the contractor\xe2\x80\x99s employee and provided to\nthe database administrator so that the equipment can be removed from HAT\nwas approved or verified by an OCIO employee.\n\nAssignment of Accountable Property Officer\n\n\n\n\n                                          11\n\x0cAPPM Chapter PRO-1(A) states that the Accountable Property Officer is\nresponsible for maintaining an unbroken audit trail for acquisition, receipt,\nissue, transfer, and disposal of Agency property. The appointment is to be in\nwriting by the PFB Chief.\n\nThe Agency has not appointed an Accountable Property Officer for laptop\ncomputers in a formal appointment document. The position description for the\nAssociate CIO for Customer Support, however, states that the person in that\nposition \xe2\x80\x9c[d]evelops and maintains a system for collecting, tracking/reconciling,\nand updating a database of all IT resources (computers, peripherals, and\nsoftware licensing).\xe2\x80\x9d This responsibility is for all NLRB locations. The position\ndescription is not a replacement for a written appointment.\n\n\nINFORMATION SECURITY\n\nEncryption\n\nOMB Memorandum 06-16, Protection of Sensitive Agency Information, was\nissued on June 23, 2006. This memorandum requires agencies, among other\nthings, to encrypt all data on mobile computers/devices which carry agency\ndata unless the data is determined to be non-sensitive.\n\nThe Agency implemented this memorandum through APPM Chapter IT-4,\nProtection of Sensitive Agency Information, issued on July 31, 2007. This policy\nstates that all Agency laptop computers will have encryption software installed,\nregardless of the sensitivity of the data stored on it.\n\nSixty-eight of the Agency\xe2\x80\x99s laptop computers that were identified as being\n\xe2\x80\x9cinstalled\xe2\x80\x9d were not encrypted. The Agency\xe2\x80\x99s inventory consisted of 1,159\nlaptop computers on October 15, 2008. Of that number, 73 were either in\nstorage or in the process of being excessed. The list of encryption keys, which\ndocuments laptop computers with encryption, provided by the IT Security\nOffice on October 9, 2008, included 1,018 laptop computers, leaving a balance\nof 68 in the Agency\xe2\x80\x99s inventory that were not encrypted. Of those 68 laptop\ncomputers, 6 laptop computers may have been issued an exemption by the\nOCIO from the encryption process.\n\nWe were unable to ascertain exactly which laptop computers were not\nencrypted because the encryption key report does not identify the serial\nnumber of the laptop computers. Instead, it uses the NetBIOS name as the\nidentifier and the NetBIOS names are not captured in HAT.\n\nThe procedure used by the IT security personnel to determine whether the\nlaptop computers being used are encrypted consists of obtaining a list of Dell\n\n\n                                        12\n\x0cModels D610, D820, and D830 from the HAT database administrator and\nmanually comparing this to a report provided by the encryption software\nvendor. The computer NetBIOS name is compared to the customer\nidentification name. The weakness with this method is that it uses a manual\nprocess to compare the NetBIOS name and the customer identification field,\nand the two are not identical.\n\nAnother weakness with this process is that it relies on an incomplete inventory\nof the Agency\xe2\x80\x99s laptop computers. By May 15, 2008, any laptop computer that\nwas designated as obsolete by the OCIO was to be removed from use by Agency\npersonnel. Despite that directive, we found that 71 laptop computers that were\ndesignated as obsolete were listed in HAT and categorized as \xe2\x80\x9cinstalled.\xe2\x80\x9d The\nprocedures described by the IT Security Office to ensure that laptop computers\nwere encrypted did not include reviewing reports that listed this obsolete, but\n\xe2\x80\x9cinstalled\xe2\x80\x9d equipment.\n\nCommonly Accepted Security Configurations\n\nOMB Memorandum 07-11, Implementation of Commonly Accepted Security\nConfigurations for Windows Operating Systems, was issued on March 22, 2007.\nThis memorandum required agencies that either operate and/or plan to\nupgrade to either Windows XP or Vista adopt the Commonly Accepted Security\nConfigurations (CASC) by February 1, 2008.\n\nThe Agency had not fully implemented the CASC. In August 2008, the\nAssociate CIO for IT Security said that a pilot project was being conducted at\none Regional Office and one Headquarters office. On October 31, 2008, the\nAssociate CIO for Customer Support identified an additional office that was\nselected as a pilot for this initiative. At that time, the Associate CIO for\nCustomer Support said that the CASC have not been fully implemented. He\nstated that the OCIO wanted to comply with the memorandum, but many of\nthe security settings do not allow some of the Agency applications to properly\nexecute.\n\nIn his comments to the draft report, the CIO stated that all but 18 of the more\nthan 600 security settings were implemented across the Agency in January\n2009. The CIO also stated that the 18 security settings that were not\nimplemented were reported as an exception to OMB. We will evaluate the\nimplementation of these settings during the audit follow-up process.\n\n\nDONATED COMPUTER EQUIPMENT\n\nExecutive Order 12999, issued on April 17, 1996, created a program that\ndirects agencies to give educationally useful excess Federal equipment to\n\n\n                                        13\n\x0cschools and nonprofit organizations. Agencies are either to give such excess\nequipment directly to a school or nonprofit group or to the General Services\nAdministration for redistribution. This program has come to be known as\n\xe2\x80\x9cComputers for Learning.\xe2\x80\x9d\n\nInconsistent Internal Documents and Records for Headquarters\n\nWhen laptop computers are identified for disposition as excess equipment, a\nHelp Desk contractor\xe2\x80\x99s employee prepares a schedule of this property and\nsends it via an e-mail message to another Help Desk contractor\xe2\x80\x99s employee to\nopen a service ticket. That person also sends an e-mail message to PFB\xe2\x80\x99s\nwarehouse unit with a list of equipment to be donated that is then to be used\nto compare to the property actually delivered to the warehouse.\n\nThe Help Desk contractor\xe2\x80\x99s employee who creates these schedules maintains\ncopies of them, but does not save the related e-mail messages. The database\nadministrator, also a Help Desk contractor\xe2\x80\x99s employee, accumulates and\ncompiles the information from the service tickets on a spreadsheet and later\nremoves the laptop computers from HAT either in a large group or once a\nmonth depending on the volume of activity. PFB maintains receipts from\norganizations that receive the excessed laptop computers from Headquarters.\nThese three pieces of information should be in agreement.\n\nWe identified nine laptop computers that should have been included in the e-\nmail messages sent to the Help Desk that were not located in the records\nmaintained by the database administrator. Six of these were in the records\nmaintained by PFB. We identified 38 laptop computers that were in the\ndatabase administrator\xe2\x80\x99s records that were not located in PFB records as\ndonated. Seven of these were in the records maintained by the contractor\xe2\x80\x99s\nemployee who identifies the equipment for disposition. We also identified 14\nlaptop computers that were in the PFB records that were not in the database\nadministrator\xe2\x80\x99s records. Six of these were in the records maintained by the\ncontractor\xe2\x80\x99s employee who identifies the equipment for disposition.\n\nIneligible Recipients\n\nWe identified two computer equipment recipients that were ineligible to\nparticipate in the Computers for Learning program. They were ineligible\nbecause they were either not non-profit organizations registered with the\nInternal Revenue Service or were not educational organizations.\n\nStaff in PFB stated that it is difficult for them to find educational or non-profit\ngroups willing to take excess computer equipment from Headquarters. It was\ntheir observation that schools in the metropolitan District of Columbia region\n\n\n\n                                          14\n\x0chave access to an extensive amount of excess computer equipment and the\nAgency\xe2\x80\x99s equipment is not competitive.\n\n\n                           RECOMMENDATIONS\n\nWe recommend that the Chief Information Officer:\n\n  1. Develop and maintain a system or process that will provide proper\n     internal control over the Agency\xe2\x80\x99s laptop computers throughout their\n     asset life cycle. This system should include written procedures and a\n     method for ensuring that the procedures are followed. Additionally, the\n     OCIO should consider obtaining inventory control software to assist in\n     the process. At a minimum, the actions implementing this\n     recommendation must conform to the Standards for Internal Control in\n     the Federal Government and the JFMIP requirements.\n\n  2. Encrypt all laptop computers that are in use by Agency personnel.\n\n  3. Develop and maintain a system that will ensure that all laptop\n     computers in use by Agency personnel are encrypted.\n\n  4. Implement Commonly Accepted Security Configurations in conformance\n     with OMB Memorandum 07-11.\n\n  5. Obtain training on the Standards of Ethical Conduct for Employees of\n     the Executive Branch for the OCIO personnel in the areas of the use of\n     Government property and dealing with outside sources.\n\n  6. Obtain training on information technology asset control for the OCIO\xe2\x80\x99s\n     Customer Support Section personnel.\n\n\n\n\n                                      15\n\x0c                                                                    ATTACHMENT\n                            JFMIP REQUIREMENTS\n\nThe Financial Systems Integration Office, formerly known as the JFMIP,\npublished the Property Management System Requirements (JFMIP-SR-00-4) in\nOctober 2000. This document identifies functional requirements for property\nmanagement systems for data systems used to manage both capitalized and\nexpensed property.\n\nHAT does not meet 6 of the 10 applicable requirements. A table showing the\nJFMIP 12 mandatory requirements and whether HAT meets those requirements\nis shown below.\n\n                                                                   Meets\nRequirement                                                        Requirement\n1. Record beginning balances, acquisitions, and withdrawals        No\nand calculate ending balances expressed in values and\nphysical units, except for heritage assets and stewardship\nland for which all end-of-period balances are expressed in\nphysical units only.\n2. Capture the condition of the asset for heritage assets,         N/A\nstewardship land, national defense property, plant and\nequipment (PP&E), and general PP&E for which a condition\nassessment was performed.\n3. Provide edits (controls) to prevent duplication and reduce      Yes\nthe likelihood of creating erroneous property documents and\nrecords to ensure the integrity of data recorded in the\nsystem.\n4. Permit only authorized users to enter, modify, or               No\notherwise alter property records.\n5. Provide an audit trail for entries to a property record,        No\nincluding identification of individuals entering or approving\ninformation and data.\n6. Identify the type of transaction affecting the property item,   No\ne.g., initial acquisition, change in location, and disposal.\n7. Incorporate adequate security features that prevent             Yes\nunauthorized access to the property system by unauthorized\nindividuals.\n8. Enable the transfer of responsibility for property from one     Yes\nauthorized manager to another authorized manager.\n\n\n\n                                                                   Meets\n\n\n                                         16\n\x0cRequirement                                                     Requirement\n9. Capture real property information for General Services       N/A\nAdministration\xe2\x80\x99s worldwide inventory system as directed in\nFederal Property Management Regulation 102-84 (property\nmanagement only).\n10. Produce reports in accordance with user-defined criteria.   Yes\n11. Capture the fact that an environmental or hazardous         No\nsubstance is located on or contained within a property item,\nin accordance with 41 CFR 101-42.202.\n12. Distinguish between capitalized property and expensed       No\nproperty tracked in the property management system.\n\n\n\n\n                                        17\n\x0cAPPENDIX\n\x0c\x0c\x0c\x0c'